PCI Requirement 126.96.36.199 – Additional Requirement for Service Providers Only: If Segmentation is Used, Confirm PCI DSS Scope by Performing Penetration Testing on Segmentation Controls at Least Every Six Months and After Any Changes
Segmentation, Scoping, and Penetration Testing
Are you a service provider? Do you use segmentation for the purpose of PCI scope reduction? PCI Requirement 188.8.131.52 outlines new PCI penetration testing requirements and caused confusion among many service providers. PCI Requirement 184.108.40.206 states, “If segmentation is used, confirm PCI DSS scope by performing penetration testing on segmentation controls at least every six months and after any changes to segmentation controls/methods.”
PCI Requirement 220.127.116.11 requires that a penetration test, which validates the scope and effectiveness of segmentation controls, be performed every six months or after any changes to segmentation controls. The purpose of this additional penetration test is to ensure that segmentation controls continue to operate effectively throughout the year. The continual, complete isolation between CDE and non-CDE systems is key to your PCI compliance.
Our approach to compliance with PCI Requirement 18.104.22.168 involves more than simply validating segmentation controls through port scanning activities. The PCI DSS specifies that penetration testing must be performed, meaning that it is not sufficient to only perform something like nmap scans from non-CDE to CDE networks. Additional effort is required in order to meet this requirement for penetration testing, and our team of penetration testers is ready to help.
There was a new requirement introduced in PCI DSS v3.2, which is PCI Requirement 22.214.171.124. It states that if you are a service provider, you need to validate that your segmentation is in place at least bi-annually, and then after any significant changes to the environment or controls that might affect your segmentation.